Risk
4/4/2017
01:20 PM
50%
50%

ADP CISO Offers Tips to Leverage Security to Grow the Business

Savvy CISOs would do their companies a favor by broadly integrating security across the organization, a move that can yield greater revenues, cost savings and an entry into new markets.

When Roland Cloutier joined ADP seven years ago to focus on operational risk, he was tasked with helping the business outsourcing solutions and payroll giant adopt a security first mindset that would ultimately yield cost savings, new markets and revenue.

"I was brought in to specifically do this and [ADP] was ready to accept change to do it," says Cloutier, senior vice president and global chief security officer at ADP.

Some of the steps Cloutier took included having senior-level practitioners placed in a group called the client security management officers (CSMOs), whose full-time job focused on quickly and accurately answering security questions raised by customers and potential clients about ADP's protection of their data and funds.

"Why that is important is because this is not sales people answering security questionnaires, nor is it people in marketing. It's a group of people who have access to the entire portfolio of our security program and can translate that to clients, give clients reports on our critical response center and be on the front end of sales opportunities with answers to security upfront," Cloutier says.

He added that security can be an enabler for the sales team to close deals, because contract negotiations often hit a snag because no one has ever explained security to the customer.  

[Cloutier will be speaking about Managing Risks to Reap Rewards: How to Use Security as a Growth Advantage during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To learn more about his presentation, other Interop security tracks, or to register click on the live links.]

Another step Cloutier took included changing the timing of when a security engineer was brought into the software development life cycle. Previously, the process went from developing a product, then having it go to the security engineer for evaluation, only to have it returned back to developers for retooling before it was released to the market. Security engineers are now embedded into the development team, as well as quality assurance teams, which Cloutier says speeds the time to market.

More Tricks of the Trade

Cloutier also scored cost savings by reducing his customers' password resets by 68% over an 18-month period. Applying a business process overview, he evaluated where password resets were frequently occurring and used security automation for password resets in those areas.

"Imagine hundreds and thousands and thousands of calls that come into our call centers from around the globe for password resets," Cloutier says. "This takes our experienced human capital management client service representatives [out of the loop] to reset passwords."

Other customer service issue he tackled with a business process approach included cutting the response time on security questions to within 24 hours, compared to the previous four to six weeks.

Transition Challenges

Although Cloutier has had success in overlaying a patina of security across ADP's businesses, he notes some CISOs may find the move challenging.

"Security is often seen as a component of IT and there are still many companies where their security executives may not be security executives," Cloutier notes. "They may have security leaders in the company, but they don't have access to the C-suite to be able to drive those conversations."

He added that security budgets are often designed as defensive cyber operations and budgeted in a way to only manage, maintain and use technology to defend the environment, rather than handle research and development, or go-to-market operations.

Until these things happen, it is difficult for companies to make it part of their digital go-to-market strategy and sales opportunity, Cloutier says. For instance, he does three client advisory board meetings a year and ADP's global sales organization pays for those meetings. Cloutier also runs an organization that is fully focused on protecting ADP's marketplace and the company's chief strategy office pays for the organization's costs.

"There are some responsibilities across the business that understand that security is a lever, as well as … a component of their cost of goods sold," Cloutier says.

Risky Business

When it comes to operational risk management, Cloutier defines it as the ability to understand the issues that can potentially impact ADP's business, its shareholders and clients and then make informed, contextual-based decisions to reduce the risk to acceptable levels.  

The company's eco-system of risk programs begins with its enterprise risk management organization, a centralized program looking across 12 dynamic areas of risk, such as, financial risk, legal risk, regulatory risk, IT risk, strategy risk and others.

"ADP is extremely formulized in how they think about risk and develop programs to test and remediate," Cloutier says, adding that it relies on a scientific formula called factor analysis for information risk (FAIR) to measure market risk and understand the data thresholds. He says FAIR gives him a consistent and measured approach to evaluate risks across all of ADP's businesses, factoring in the company's diversified market segments from human capital management platforms to technologies and services, and provides the means to look at all of these segments independently.

He believes other large, mature multinational corporations are also taking a similar approach to risk management and shifting away from a knee-jerk reaction to high-profile security breaches.

"Organizations have been able to look [at] their operations and critical assets and take more of a business operations protection approach, rather than a straight-line cybersecurity approach or a straight-line risk management approach," Cloutier says. "They look at the operating process, their operating platforms, risks and issues and vulnerabilities associated with those and then measure them accordingly to make very informed decisions. So, I truly believe mature businesses are migrating away from that knee-jerk approach." 

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.